Software Security
Improving Smart Grid Cyber Security
(This is a guest post by Evgeny Lebanidze, a managing consultant at Cigital.) Over the last couple of years Cigital had become more involved helping companies in the Energy sector get security right. As our nation’s traditional electric grid is modernized and upgraded to the smart grid, the associated cyber security challenges continue to increase [...]
US Policy, Cyber Security and the Future of Cyberspace
Because Cigital’s corporate headquarters are near Washington, DC, you might think that we’re deeply involved with the federal government. Surprise! Though we do have a federal subsidiary called (creatively enough) Cigital Federal, a vast majority of our business is with the private sector. Whenever we get the opportunity to interact with the federal sector we [...]
Threat Modeling – Vocabulary
A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or [...]
When All You Have is a Hammer…
We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static or dynamic, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of [...]
Automate security tests and build security in from day one
Or: The ugly baby phenomenon and why you should not focus on false positives Dr. Markus Schumacher has served as CEO and Co-Founder of Virtual Forge GmbH since 2006. The company specializes in the security of SAP applications. Dr. Schumacher was previously a representative of the Fraunhofer Institute for Secure Information Technology (SIT) and worked [...]
Moving to Mobile – New Threats
A ‘move to mobile’ represents an ideal opportunity to revisit threat modeling. The natural question: how do my threats change when I bring a model channel into my existing application?
More on Malware (Including Bad Ads)
Just two months ago, I invoked the malicious code problem in a Justice League blog entry. The growth in malicious code is caused by the Trinity of Trouble (connectivity, complexity and extensibility) which incidentally is also what makes the software security problem more interesting to work on every day. My most recent informIT article, titled [...]
The Stuxnet Payload
I met Silver Bullet #59 victim Ralph Langner at Joe Weiss’s Applied Control Solutions Conference in Rockville last Fall. That was when (much to the surprise of the Siemens guys there) Ralph first revealed that the Stuxnet payload was aimed directly at physical control systems. In some sense, Stuxnet has changed the world by showing [...]
Scrap Static Tools, just “Fix your code”?
Recently, Gary and I collaborated on an InformIT article on static analysis. you will find our observations regarding static analysis shared by others. It’s encouraging to note that Flash Sheridan observes many of the same difficulties and more formally treats them in his ISSRE ’10 publication. It’s worth a read. A few commentators shared some [...]
Evading WAFs and other forms of Input Validation
My colleague, David Lindsay, is one of the authors of a new book, Web Application Obfuscation, about obfuscation techniques. Even the title is somewhat obfuscated because the book is about obfuscation techniques that can be used to attack web applications. The set of techiques described in the book by David and the other authors is [...]
